On Tue, Jul 05, 2005 at 06:36:44PM -0400, Stuart D. Gathman wrote:
The weakness with that solution is that it is subject to replay
attacks. One solution is to limit the number of validations for a
given sig in the server (requires only an in memory database of
successful validations and count).
Good point. I think the signed-sender + CBV suffers from this potential
attack too, am I right? If it exists in both SES+CBV and SES+SPF+trickDNS,
there may still be some benefits that the second method brings to the table.
--Mark Shewmaker <mark(_at_)primefactor(_dot_)com> wrote:
If you're keeping a count anyway, after some number, say three
verifications, you could also cause increasing delays, up to maybe 15
seconds, but still resolve to a positive answer after that delay.
That would keep that mailfrom value from being useful for being
harvested by zombies.
You could also limit the number of successful validations you allow to
to be returned within any set time period, afterwards returning the
equivalent of a DNS temperror (I forget the name), for any subsequent
query-then-delay, until the timer restarts.
That makes the address even less useful for zombie use.
All good ideas. I think it's a good idea to be prepared for such an
eventuality. Right now it's a theoretical answer to a theoretical problem
that might occur if we use the theoretical proposal. We need more
real-world experience in that area.
Making the timing stricter after an hour after generation tightens
things even further, without affecting legitimate users, but makes even
the easier look-through-mailing-list-archives-for-mailfroms trick less
useful.
I personally would guess that an aggressive timeout would work fine (like 1
hour). It's really there to get past the odd forwarding arrangement of the
receiver. Most receivers will be satisfied with the a, mx, ip or whatever
is front-most on your SPF record. Someone who is checking an hour after
the fact isn't likely to use the result to reject the mail.
I wonder if David has any data on how much later the signed address get
hits or callbacks? That would be interesting data...
(It would be cool if there were a way to transform the address that's
understood to be a validity check that only gets you the 15 second delay
and nothing else, so you could re-verify already-accepted mail and get
more detailed results. I'm not yet sure why this might be useful given
the previous limits, but I keep thinking it might be.)
I'm not sure I understand what you meant by "transform" - do you mean so
that the address is not useful for sending, but can still be audited?
Maybe the trickDNS server can return a TXT record but not an A record after
the timeout/use limit is reached?
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>